3 Key Takeaways:
- Proxy bypass has evolved far beyond VPNs. Students are now using AI-built camouflage sites that pass content categorization and then swap their content, open-source proxy frameworks available on GitHub, and game aggregators that require no proxy at all. Traditional detection approaches only catch part of this picture — closing the gap requires seeing the page the way the student actually sees it.
- Visibility is the prerequisite for everything else. When a bypass succeeds, IT admins lose the insight that makes the rest of their security posture function. Lightspeed Filter™’s new Real-Time Bypass Detection can run in silent reporting mode for 14 days, giving districts a clear picture of what’s actually happening across their network before a single automatic block is triggered.
- AI platform activity is a blind spot most districts haven’t addressed yet. Staff and students are using ChatGPT, Gemini, and Copilot with sensitive data in ways that create real compliance and safety exposure — and no AI vendor provides an audit trail. Lightspeed Systems’ new AI Prompt Capture feature, now in Early Access, logs prompt sessions directly to the existing web activity report, giving districts the visibility they need without requiring a new platform or workflow.
I've been thinking about bypass as a pressure valve problem. You seal off one avenue — shared domains, VPNs, known proxy lists — and the pressure doesn't disappear. It finds the next weak point in the pipe. When we launched our shared domains category a few years ago, it made a real dent. Then the landscape shifted again. It always does.
What's different now is the speed and sophistication. Students are using open-source frameworks like Ultraviolet and Scramjet — both available as top GitHub results, downloadable by anyone in a few clicks. They're using AI to build convincing education sites complete with plausible lesson content, get them correctly categorized, and then quietly swap the content afterward. Some of those sites even have hidden keyboard shortcuts that unlock full access once they've passed review. And then there are game aggregators: standalone Google Sites or custom domains that skip proxies entirely and just host hundreds of games directly. Traditional proxy detection doesn't catch those at all.
We talk a lot about the threat statistics — 1 in 3 students has attempted to bypass content filtering, ransomware payouts targeting K-12 have climbed past $1.5 million — but I think the more useful frame is operational. When a bypass succeeds, you stop knowing what's going on. You're not just dealing with distraction risk. You lose the visibility that makes everything else work.
Three blind spots we kept running into
As we've dug into this problem over the past year, three gaps kept surfacing in how most districts are set up.
The first is on-device content. Network-level filtering sees domains and URLs, but it can't see what a page is actually rendering when a student is in the browser. A site that passed categorization last week can change its content today. The only way to catch that is to see the page the way the student sees it — from inside the browser, in real time.
The second is off-network coverage. Devices leave campus. They connect to home networks, coffee shop Wi-Fi, wherever. Threats accumulate in that unprotected window and then walk back through your door the next morning. Filtering that changes behavior based on network creates predictable gaps that are easy to exploit — intentionally or not.
The third is AI platform activity. Staff are moving fast and not always stopping to think about data policies before pasting student information into ChatGPT, Gemini, or Copilot. Students are using these tools in ways that create real safety and compliance exposure. And none of those platforms provide an audit trail. Until now, there hasn't been a way to know what's happening or investigate after the fact.
What we built to close them
Real-Time Bypass Detection is our answer to the first blind spot. We just launched it into Early Access for Chrome, Windows, and Mac, and I'm genuinely proud of how it works. It runs as a lightweight helper extension alongside your existing Lightspeed Filter™ setup and scans pages the way the student actually experiences them — not just the URL, but the JavaScript variables, the DOM structure, the presence of proxy library fingerprints, the behavioral patterns of game aggregators like tiled layouts and HTML5 canvas asset pulls. It re-scans as the page changes, so it's not a fire-and-forget check. And it runs in silent reporting mode by default, so you can see exactly what it's finding before you turn on automatic blocking.
We were serious about performance from the start. This runs on 2019-era Chromebooks without any perceptible impact. The detection logic is essentially a very sophisticated, layered set of programmatic rules — not a heavy AI model — so we can tune it tightly and optimize it for low-end hardware.
AI Prompt Capture is our answer to the third blind spot. It launched into Early Access the same week as Real-Time Bypass Detection. The same helper extension that powers bypass detection also scans ChatGPT, Gemini, and Copilot — the web-based versions — and logs prompt and response exchanges directly to your web activity report in Lightspeed Alert™. You can enable it per policy, so you're not capturing prompts from everyone indiscriminately. It gives you the audit trail the AI vendors won't build themselves.
Image Blurring, which we launched into General Availability earlier this year, rounds out the picture. The on-device MobileNet model detects explicit images in real time — tunable by content category so you can keep it off for education categories where it might create friction — with zero performance impact.
How we recommend getting started
All three features use the same helper extension, which makes deployment straightforward. For Image Blurring, you can install it today from your software setup page in the Lightspeed console.
For Real-Time Bypass Detection and AI Prompt Capture, reach out to your Account Manager or Solutions Engineer to get added to Early Access. Once you're in, the toggle appears in your policy settings. Not sure who your contact is? Log into help.lightspeedsystems.com — your assigned team is listed there.
My strong recommendation: start with 14 days of silent detection. No blocking, just reporting. Look at what the system is actually catching across your network. It will tell you more about your real exposure than any threat briefing could, and it gives you the data to make an informed decision about where and how to configure automatic blocking.
The bypass landscape isn't going to stop evolving. But for the first time, we're not just chasing it from one step behind — we're seeing what students actually see.
FAQs
How does Real-Time Bypass Detection actually work — what is it detecting?
Real-Time Bypass Detection uses a browser extension that runs alongside the Lightspeed Filter™ agent on the student’s device. It scans the page as the student actually sees it — not just the URL — looking at JavaScript variables, DOM structure, the presence of known proxy library fingerprints (like those used by Ultraviolet or Scramjet), and behavioral patterns such as about:blank window launchers and HTML5 canvas tiling consistent with game aggregators. It re-scans as the page changes, so it isn’t a one-time check at page load. You can run it in silent reporting mode to collect data before enabling automatic blocking.
Does this affect device performance, especially on older Chromebooks?
No. The team tested Real-Time Bypass Detection against 2019-era Chromebooks specifically to make sure older, lower-powered devices don’t take a performance hit. The detection engine is built as programmatic logic — a layered system of rules that scans for specific indicators — not a heavy on-device AI model. That architecture lets the team tune and optimize it to run with no perceptible impact on the device experience for students.
Can I try this without automatically blocking anything first?
Yes, and that’s actually what we recommend. Real-Time Bypass Detection has a silent reporting mode where all detections appear in your web activity log without triggering any blocks. We suggest running it this way for 14 days to understand what’s happening across your network before deciding where and how to configure automatic blocking. You can also configure blocking at the category level, so you’re not forced into an all-or-nothing choice.
What platforms does Real-Time Bypass Detection support? What about iOS?
Real-Time Bypass Detection is currently in Early Access for Chrome, Windows, and Mac. iOS is a known gap — Apple’s platform restrictions make this technically challenging. The team is actively exploring options, including MDM-managed Safari extensions in newer iOS versions, which have become more viable recently. In the meantime, iOS users still benefit from the detection data feeding into content recategorization by the Lightspeed content team, which has moved significant content into the Security Proxy category since Early Access launched.
What is AI Prompt Capture, and which platforms does it cover?
AI Prompt Capture is a new Early Access feature that logs student and staff prompt and response sessions from supported AI platforms directly into your Lightspeed web activity report. It uses the same browser extension as Real-Time Bypass Detection and Image Blurring, so there’s no additional installation required. At launch, it covers the web-based versions of ChatGPT, Gemini, and Copilot. Additional platforms will be added over time. It’s configurable per policy, so administrators can choose which student populations to enable it for.
How do I get access to these Early Access features?
Reach out to your Lightspeed Systems Account Manager or Solutions Engineer to get added to the Early Access program. Once added, the Real-Time Bypass Detection and AI Prompt Capture toggles will appear in your policy settings. If you’re not sure who your Account Manager is, log into help.lightspeedsystems.com — your assigned contacts are listed there. The helper extension required for all three features (bypass detection, image blurring, AI prompt capture) is available to all customers today from the software setup page and can be deployed in minutes.
Game aggregators are mentioned as a separate bypass vector — how does Lightspeed detect those?
Game aggregators are sites — often hosted on Google Sites or similar platforms — that don’t use a proxy at all. They simply host a large collection of games directly, which means traditional proxy detection misses them entirely. Real-Time Bypass Detection addresses this by looking at behavioral patterns beyond proxy library fingerprints: tile-based page layouts, how the page loads and initiates HTML5 canvases, asset sourcing patterns, and other indicators consistent with game aggregator frameworks like Nebula or Interstellar. Game aggregator detection is enabled by default when you turn on Real-Time Bypass Detection, though it can be adjusted if needed.
Do you know what's getting through your filter right now?
Start a 14-day silent detection trial and get a full picture of bypass activity across your district — no disruption, no configuration required, and no obligation.
